论文信息 - Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis

Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis

We present our experience of combining, in a realistic setting, a static analyzer with a statistical analysis. This combination is in order to reduce the inevitable false alarms from a domain-unaware static analyzer. Our analyzer named Airac(Array Index Range Analyzer for C) collects all the true buffer-overrun points in ANSI C programs. The soundness is maintained, and the analysis' cost-accuracy improvement is achieved by techniques that static analysis community has long accumulated. For still inevitable false alarms (e.g. Airac raised 970 buffer-overrun alarms in commercial C programs of 5.3 million lines and 737 among the 970 alarms were false), which are always apt for particular C programs, we use a statistical post analysis. The statistical analysis, given the analysis results (alarms), sifts out probable false alarms and prioritizes true alarms. It estimates the probability of each alarm being true. The probabilities are used in two ways: 1) only the alarms that have true-alarm probabilities higher than a threshold are reported to the user; 2) the alarms are sorted by the probability before reporting, so that the user can check highly probable errors first. In our experiments with Linux kernel sources, if we set the risk of missing true error is about 3 times greater than false alarming, 74.83% of false alarms could be filtered; only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms.

[1] A. Rollett,et al. The Monte Carlo Method , 2004 .

[2] J. Berger. Statistical Decision Theory and Bayesian Analysis , 1988 .

[3] A. Brix. Bayesian Data Analysis, 2nd edn , 2005 .

[4] Patrick Cousot,et al. The ASTREÉ Analyzer , 2005, ESOP.

[5] Dawson R. Engler,et al. Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[6] Dawson R. Engler,et al. ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[7] Patrick Cousot,et al. Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[8] Richard Lippmann,et al. Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[9] James O. Berger,et al. Statistical Decision Theory and Bayesian Analysis, Second Edition , 1985 .

[10] Xavier Rival,et al. Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[11] Patrick Cousot,et al. The ASTR ´ EE Analyzer , 2005 .

[12] Michael Rodeh,et al. CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[13] Pierre Deransart,et al. Programming Languages Implementation and Logic Programming , 1989, Lecture Notes in Computer Science.

[14] Patrick Cousot,et al. A static analyzer for large safety-critical software , 2003, PLDI.